Add and update users with LDAP Just-In-Time provisioning

Just-In-Time (JIT) provisioning enables automatic user account creation in Okta the first time that a user authenticates with Lightweight Directory Access Protocol (LDAP) delegated authentication.

JIT account creation and activation only works for users who aren't already Okta users. This means that users who are confirmed on the import results page, regardless of whether they were subsequently activated, aren't eligible for JIT activation. When JIT is enabled, users don't receive activation emails.

For JIT provisioning, you must enable delegated authentication. If you don't enable delegated authentication, Okta you can only create user accounts using bulk import.

When you enable JIT for your org and select delegated authentication for your LDAP integration, JIT is used to create user profiles and import user data.

For a list of known issues, see LDAP integration known issues.

  1. In the Admin Console, go to DirectoryDirectory Integrations.
  2. Click LDAP and then click the Provisioning tab.
  3. Click To Okta in the Settings list.
  4. Click Edit in the General area.
  5. Select the Create and update users on login checkbox next to JIT provisioning.
  6. Scroll down and click Save.